You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

all of the above infections, for a while now, very weird info

my comp is a Lenovo h405 windows 7 64bit. I am verrrrry inclined to believe that I have a rootkit/hijacker/worm. a while back I got infected and got zero access, removed the zero access but the prescense of malware was still there so I decided I had to format and reinstall windows. everything was fine, but instead of updating windows right away I came here to download all the recommended malware protection. problem is, after downloading a malwarebytes/hitmanpro /mse/ avg /emisoft/mrt, aswell as league of legends. before I know it I have avg reporting changed apps. for me to get infected again was either because every computer in my network is infected, or because I didn't install the windows updates first. most of the scanners wont find anything, and when I went to update windows half of the updates wouldn't install - format again I thought, but download the updates first. after a few more formats, I realized I am no match for this thing.

on a diff computer in a different room, I started digging into program folders that I use, specifically league of legends. inside the folder I found logs that were referencing http:// (ip address)static. client bundle or addresses close to that. im a little scared to check it exactly, when I first saw it, I copied the address and googled it, INSTANTLY my internet went down for that computer, I reset the modem but only the other computers internet came back. actually with the amount of formats ive been doing recently im going to post a few lines of logs for league of legends (note this is the only program ive checked the folder for because it was acting as weird as my other programs.

NOTE: the logs seemed suspicious and based on the passed few days I knew to make copies of anything I might need to look at.

suspiscious logs in league of legends (I was already weary of league since it started taking a log of bandwidth to random ips:

I read in some texts and registrys "mouse intercept hook" aswell as "url hooks", so I googled hook and stumbled upon what looks like to be a hijacks fourm, just like bleeping computers but every1 was posting comments on how to do malicious things. one guy said to another, "put your *whatever he said) inside the app data folder because its the norm. so I used that info to my advantage and checked my app data folder which was hidden, found quite a few regtrans files.

this was found in one of the many many configure settings inside of c:/windows/inf, tho on this part im not sure.

not too sure what else to say, ive scanned with many antiviruses

svchost

lsass.exe

these have both shown very peculiar activity, with one of my first formats AVG reported lsass as a changed application. combofix ended up messing my computer up regardless of following directions. avg eports like 230 files locked that cant be scanned, hitmanpro early warning sign scoring gave me around 10 suspiscious files that are windows protected, since they are in system folders, one for example being lsass.exe which it scored 13.0, and another scored 15.0

also a few windows protected files appeared 2 days after a format, cant quarantine, and deleteing them makes comp unbootable. MRT does not fix.

settings and programs change

trustedinstaller will have control of random reg keys and files, and be running regardless of being disabled in services.

EVEN AT THIS SITE. links will download infected programs or something. sometimes if I check a link to a program I use a lot, the properties or download site will be random.

id have a lot of network accesss problems, start troubleshooter, and itd go thro the whole "find problems, attempting to fix, resetting local adapter, then it'll shoot to windows couldn't find a problem/uknown error is preventing troubleshooting from starting" , somewhere in the registry I read the command for this. it was like show troubleshooting message clean or some type of emulator I cant remeembert specifally atm.

it looks like a Asian-oriented hijack might be apart of all this, at one point I (this has been going on for a while ive been trying my hardest but to no avail) it said one of my files had the owner or some name in Chinese or something, I couldn't read it. earlier today (ive only installed 2-3 programs and specifally no language packs) inside a folder I have a set of helppanes, but they were in Chinese.

ie sometimes has random proxys

if I check last date modified time, a lot of my folders will be recently touched when I was l afk or doing something irrelevant

lastly as another detail to helping figure this out, when I had avg installed, by checking firewall logs Id CONSTANTLY have blocked pings, literally like every second, some going out and some in. ports for 1 was like 5355 or something, aswell was "filter device" and even scvhost being blocked by avg.

too much info, I appreciate every1 who cared enough to click this thread regardless if u can help. thanks

BC AdBot (Login to Remove)

to BleepingComputer! My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Ground Rules:

First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.

Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.

Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.

When you post your reply, use the button.

In the upper right hand corner of the topic you will see the button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.

If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.

When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.

I would like to remind you to make no further changes to your computer unless I direct you to do so.

Now let's get started

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation:

Sorry for the delayed response jason. this infection is worse than i can comprehend. on secure sites i get page cannot be displayed site when clicking on some links. ive noticed certain parts of sites are also blocked from my access, like words, phrases, and especially some sites. ontop of that, my shortcuts become "ink". if that wasnt the worst, ive been downloadiong AV programs frm here and google, that i now believe have been proxied and are more viruses. the same symptoms i have are on the computers in the house. even my iphone has discussions where users references are just " " without the quotes. im in linux right now, i will start from step 6 as soon as install windows 7 again and then add to this post. when i searched the host on my other computer the internet shut down, so im a little weary but i dont want to miss this chance incase you dont see what i see. im going to press post, then edit this post with that log again, then ill edit again starting from step 6 tonight.

1st edit: a link with the article i believe was about the worm/rootkit or whatever i have was at https://support.microsoft.com/en-us/kb/303807 , if i inspect element i no follow external link 3 l 0 l 3 l 8 l 0 l 7 without the letters or spaces seems to be the only clue i have atm. im only posting this because atm eset rescue disk was running (started before i saw ur post)

I know I said id get on last night but the thing strips my c drive of everything but the boot files and puts it on a e drive... I used an image to flash back to a few days ago, but note at this point, im not sure what updates I have. the malware kept me from updating security, once I was able to get on I went straight to step 6. also, the virus,names gen-goo and vundo popped up in a scan I did while using a boot cd to restore the image, and my hosts file keeps getting reset, incase that helps..

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (07/20/2015 10:34:05 AM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
The content index server cannot find a description of the content index in its database. Search will automatically attempt to recreate the content index description. If this problem persists, stop and restart the search service and, if necessary, delete and recreate the content index. (HRESULT : 0x80041181) (0x80041181)

System errors:
=============
Error: (07/20/2015 10:34:05 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Details:
The content index server cannot find a description of the content index in its database. Search will automatically attempt to recreate the content index description. If this problem persists, stop and restart the search service and, if necessary, delete and recreate the content index. (HRESULT : 0x80041181) (0x80041181)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation:

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.

Make sure that Addition.txt is checked before you press the Scan button.

Press Scan button.

It will make 2 logs (FRST.txt and Addition.txt) in the same directory the tool is run. Please copy and paste them both into your reply.

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation:

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation:

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: